Axios Supply Chain Attack

Malwarebytes – 31 Mar 26

Axios supply chain attack chops away at npm trust

Developers using the axios package from npm may have downloaded a malicous version that drops a Remote Access Trojan

Est. reading time: 3 minutes

Using compromised credentials of a lead maintainer of Axios an attacker published poisoned packages to npm: axios@1.14.1 and axios@0.30.4. The malicious versions inject a new dependency, plain-crypto-js@4.2.1, which is never imported anywhere in the axios source code.

Together the two affected packages reach up to 100 million weekly downloads on npm, which means it has a huge impact radius across web apps, services, and pipelines.

It is important to note that the affected Axios version does not appear in the project’s official GitHub tags. This means that the people and projects affected are developers and environments which ran npm install that resolved to:

• axios@1.14.1 or axios@0.30.4, or

• the dependency plain-crypto-js@4.2.1.

Any workflow that installed one of those versions with scripts enabled may have exposed all injected secrets (cloud keys, repo deploy keys, npm tokens, etc.) to an interactive attacker, because the postinstall script (node setup.js) that runs automatically on npm install downloaded an obfuscated dropper that retrieves a platform‑specific RAT payload for macOS, Windows, or Linux.

As someone who uses npm every day this is extremely concerning news and I’m surprised it hasn’t reached many yet (at last no one in my inner dev circle knew about this until I told them).

Have any of you been impacted or compromised by the attack?